Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises.

To help educate website owners about potential threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month.

The vulnerabilities listed below are virtually patched by the Sucuri Firewall and existing clients are protected. If you don’t have it installed yet, you can use our web application firewall to protect your site against known vulnerabilities.

Plugins

Elementor Website Builder – more than just a page builder – Sensitive Data Exposure

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Sensitive Data Exposure
CVE: CVE-2026-1206
Number of Installations: 10,000,000+
Affected Software: Elementor Website Builder – more than just a page builder <= 3.35.7
Patched Versions: Elementor Website Builder – more than just a page builder 3.35.8

Mitigation steps: Update to Elementor Website Builder – more than just a page builder version 3.35.8 or greater.

Yoast SEO – Advanced SEO with real-time guidance and built-in AI – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2026-3427
Number of Installations: 10,000,000+
Affected Software: Yoast SEO – Advanced SEO with real-time guidance and built-in AI <= 27.1
Patched Versions: Yoast SEO – Advanced SEO with real-time guidance and built-in AI 27.2

Mitigation steps: Update to Yoast SEO – Advanced SEO with real-time guidance and built-in AI version 27.2 or greater.

WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More – Sensitive Data Exposure

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Sensitive Data Exposure
CVE: CVE-2026-25339
Number of Installations: 6,000,000+
Affected Software: WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More <= 1.9.9.1
Patched Versions: WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More 1.9.9.2

Mitigation steps: Update to WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More version 1.9.9.2 or greater.

Yoast Duplicate Post – Broken Access Control

Security Risk: Medium
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2026-1217
Number of Installations: 4,000,000+
Affected Software: Yoast Duplicate Post <= 4.5
Patched Versions: Yoast Duplicate Post 4.6

Mitigation steps: Update to Yoast Duplicate Post version 4.6 or greater.

Really Simple Security – Simple and Performant Security (formerly Really Simple SSL) – Broken Access Control

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2026-32461
Number of Installations: 3,000,000+
Affected Software: Really Simple Security – Simple and Performant Security (formerly Really Simple SSL) <= 9.5.7
Patched Versions: Really Simple Security – Simple and Performant Security (formerly Really Simple SSL) 9.5.8

Mitigation steps: Update to Really Simple Security – Simple and Performant Security (formerly Really Simple SSL) version 9.5.8 or greater.

Complianz – GDPR/CCPA Cookie Consent – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2026-2389
Number of Installations: 1,000,000+
Affected Software: Complianz – GDPR/CCPA Cookie Consent <= 7.4.4
Patched Versions: Complianz – GDPR/CCPA Cookie Consent 7.4.5

Mitigation steps: Update to Complianz – GDPR/CCPA Cookie Consent version 7.4.5 or greater.

MC4WP: Mailchimp for WordPress – Broken Access Control

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Broken Access Control
CVE: CVE-2026-1781
Number of Installations: 1,000,000+
Affected Software: MC4WP: Mailchimp for WordPress <= 4.11.9
Patched Versions: MC4WP: Mailchimp for WordPress 4.12.0

Mitigation steps: Update to MC4WP: Mailchimp for WordPress version 4.12.0 or greater.

Autoptimize – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2026-2430
Number of Installations: 900,000+
Affected Software: Autoptimize <= 3.1.14
Patched Versions: Autoptimize 3.1.15

Mitigation steps: Update to Autoptimize version 3.1.15 or greater.

Autoptimize – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2026-2352
Number of Installations: 900,000+
Affected Software: Autoptimize <= 3.1.14
Patched Versions: Autoptimize 3.1.15

Mitigation steps: Update to Autoptimize version 3.1.15 or greater.

W3 Total Cache – Arbitrary Code Execution

Security Risk: Critical
Exploitation Level: No authentication required.
Vulnerability: Arbitrary Code Execution
CVE: CVE-2026-27384
Number of Installations: 900,000+
Affected Software: W3 Total Cache <= latest
Patched Versions: No Fix

Mitigation steps: No patch available. Consider disabling or removing the plugin until a fix is released.

Smart Slider 3 – Arbitrary File Download

Security Risk: Medium
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Arbitrary File Download
CVE: CVE-2026-3098
Number of Installations: 800,000+
Affected Software: Smart Slider 3 <= 3.5.1.33
Patched Versions: Smart Slider 3 3.5.1.34

Mitigation steps: Update to Smart Slider 3 version 3.5.1.34 or greater.

The Events Calendar – Arbitrary File Download

Security Risk: High
Exploitation Level: Requires Author or higher level authentication.
Vulnerability: Arbitrary File Download
CVE: CVE-2026-3585
Number of Installations: 700,000+
Affected Software: The Events Calendar <= 6.15.17
Patched Versions: The Events Calendar 6.15.17.1

Mitigation steps: Update to The Events Calendar version 6.15.17.1 or greater.

Ninja Forms – The Contact Form Builder That Grows With You – Sensitive Data Exposure

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Sensitive Data Exposure
CVE: CVE-2026-1307
Number of Installations: 600,000+
Affected Software: Ninja Forms – The Contact Form Builder That Grows With You <= 3.14.1
Patched Versions: Ninja Forms – The Contact Form Builder That Grows With You 3.14.2

Mitigation steps: Update to Ninja Forms – The Contact Form Builder That Grows With You version 3.14.2 or greater.

Royal Addons for Elementor – Addons and Templates Kit for Elementor – Broken Access Control

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Broken Access Control
CVE: CVE-2026-2373
Number of Installations: 600,000+
Affected Software: Royal Addons for Elementor – Addons and Templates Kit for Elementor <= 1.7.1049
Patched Versions: Royal Addons for Elementor – Addons and Templates Kit for Elementor 1.7.1050

Mitigation steps: Update to Royal Addons for Elementor – Addons and Templates Kit for Elementor version 1.7.1050 or greater.

Royal Addons for Elementor – Addons and Templates Kit for Elementor – Arbitrary File Upload

Security Risk: High
Exploitation Level: Requires Author or higher level authentication.
Vulnerability: Arbitrary File Upload
CVE: CVE-2025-13067
Number of Installations: 600,000+
Affected Software: Royal Addons for Elementor – Addons and Templates Kit for Elementor <= 1.7.1049
Patched Versions: Royal Addons for Elementor – Addons and Templates Kit for Elementor 1.7.1050

Mitigation steps: Update to Royal Addons for Elementor – Addons and Templates Kit for Elementor version 1.7.1050 or greater.

Enable Media Replace – Broken Access Control

Security Risk: Medium
Exploitation Level: Requires Author or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2026-2732
Number of Installations: 600,000+
Affected Software: Enable Media Replace <= 4.1.7
Patched Versions: Enable Media Replace 4.1.8

Mitigation steps: Update to Enable Media Replace version 4.1.8 or greater.

Royal Addons for Elementor – Addons and Templates Kit for Elementor – Other Vulnerability Type

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Other Vulnerability Type
CVE: CVE-2026-28135
Number of Installations: 600,000+
Affected Software: Royal Addons for Elementor – Addons and Templates Kit for Elementor <= latest
Patched Versions: No Fix

Mitigation steps: No patch available. Consider disabling or removing the plugin until a fix is released.

SiteGuard WP Plugin – Bypass Vulnerability

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Bypass Vulnerability
CVE: CVE-2026-27411
Number of Installations: 600,000+
Affected Software: SiteGuard WP Plugin <= latest
Patched Versions: No Fix

Mitigation steps: No patch available. Consider disabling or replacing the plugin.

Ally – Web Accessibility & Usability – SQL Injection

Security Risk: Critical
Exploitation Level: No authentication required.
Vulnerability: SQL Injection
CVE: CVE-2026-2413
Number of Installations: 500,000+
Affected Software: Ally – Web Accessibility & Usability <= 4.0.9
Patched Versions: Ally – Web Accessibility & Usability 4.1.0

Mitigation steps: Update to Ally – Web Accessibility & Usability version 4.1.0 or greater.

Checkout Field Editor (Checkout Manager) for WooCommerce – Cross Site Scripting (XSS)

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2026-3231
Number of Installations: 500,000+
Affected Software: Checkout Field Editor (Checkout Manager) for WooCommerce <= 2.1.7
Patched Versions: Checkout Field Editor (Checkout Manager) for WooCommerce 2.1.8

Mitigation steps: Update to Checkout Field Editor (Checkout Manager) for WooCommerce version 2.1.8 or greater.

PixelYourSite – Your smart PIXEL (TAG) & API Manager – Cross Site Scripting (XSS)

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2026-1841
Number of Installations: 500,000+
Affected Software: PixelYourSite – Your smart PIXEL (TAG) & API Manager <= 11.2.0
Patched Versions: PixelYourSite – Your smart PIXEL (TAG) & API Manager 11.2.0.1

Mitigation steps: Update to PixelYourSite – Your smart PIXEL (TAG) & API Manager version 11.2.0.1 or greater.

Meta Box – Arbitrary File Deletion

Security Risk: High
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Arbitrary File Deletion
CVE: CVE-2025-14675
Number of Installations: 500,000+
Affected Software: Meta Box <= 5.11.1
Patched Versions: Meta Box 5.11.2

Mitigation steps: Update to Meta Box version 5.11.2 or greater.

Page Builder by SiteOrigin – Local File Inclusion

Security Risk: High
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Local File Inclusion
CVE: CVE-2026-2448
Number of Installations: 500,000+
Affected Software: Page Builder by SiteOrigin <= 2.33.9
Patched Versions: Page Builder by SiteOrigin 2.34.0

Mitigation steps: Update to Page Builder by SiteOrigin version 2.34.0 or greater.

SureForms – Contact Form, Payment Form & Other Custom Form Builder – Broken Access Control

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Broken Access Control
CVE: CVE-2026-4987
Number of Installations: 500,000+
Affected Software: SureForms – Contact Form, Payment Form & Other Custom Form Builder <= 2.5.9
Patched Versions: SureForms – Contact Form, Payment Form & Other Custom Form Builder 2.6.0

Mitigation steps: Update to SureForms – Contact Form, Payment Form & Other Custom Form Builder version 2.6.0 or greater.

Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button – Chaty – Sensitive Data Exposure

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Sensitive Data Exposure
CVE: CVE-2026-27370
Number of Installations: 400,000+
Affected Software: Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button – Chaty <= 3.5.1
Patched Versions: Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button – Chaty 3.5.2

Mitigation steps: Update to Chaty version 3.5.2 or greater.

Happy Addons for Elementor – Insecure Direct Object References (IDOR)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Insecure Direct Object References (IDOR)
CVE: CVE-2026-2917
Number of Installations: 400,000+
Affected Software: Happy Addons for Elementor <= 3.21.0
Patched Versions: Happy Addons for Elementor 3.21.1

Mitigation steps: Update to Happy Addons for Elementor version 3.21.1 or greater.

Happy Addons for Elementor – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2026-2918
Number of Installations: 400,000+
Affected Software: Happy Addons for Elementor <= 3.21.0
Patched Versions: Happy Addons for Elementor 3.21.1

Mitigation steps: Update to Happy Addons for Elementor version 3.21.1 or greater.

Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery – Local File Inclusion

Security Risk: High
Exploitation Level: Requires Author or higher level authentication.
Vulnerability: Local File Inclusion
CVE: CVE-2026-1463
Number of Installations: 400,000+
Affected Software: Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery <= 4.0.4
Patched Versions: Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery 4.0.5

Mitigation steps: Update to NextGEN Gallery version 4.0.5 or greater.

Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App – Cross Site Scripting (XSS)

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2026-3090
Number of Installations: 400,000+
Affected Software: Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App <= 3.8.9
Patched Versions: Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App 3.9.0

Mitigation steps: Update to Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App version 3.9.0 or greater.

Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App – Broken Access Control

Security Risk: Medium
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2026-2559
Number of Installations: 400,000+
Affected Software: Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App <= 3.8.9
Patched Versions: Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App 3.9.0

Mitigation steps: Update to Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App version 3.9.0 or greater.

Page Builder: Pagelayer – Drag and Drop website builder – Content Injection

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Content Injection
CVE: CVE-2026-2442
Number of Installations: 400,000+
Affected Software: Page Builder: Pagelayer – Drag and Drop website builder <= 2.0.7
Patched Versions: Page Builder: Pagelayer – Drag and Drop website builder 2.0.8

Mitigation steps: Update to Page Builder: Pagelayer – Drag and Drop website builder version 2.0.8 or greater.

ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Author or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2026-4335
Number of Installations: 300,000+
Affected Software: ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF <= 6.4.3
Patched Versions: ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF 6.4.4

Mitigation steps: Update to ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF version 6.4.4 or greater.

WP Go Maps (formerly WP Google Maps) – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2026-4268
Number of Installations: 300,000+
Affected Software: WP Go Maps (formerly WP Google Maps) <= 10.0.05
Patched Versions: WP Go Maps (formerly WP Google Maps) 10.0.06

Mitigation steps: Update to WP Go Maps (formerly WP Google Maps) version 10.0.06 or greater.

WP Mail Logging – PHP Object Injection

Security Risk: Critical
Exploitation Level: No authentication required.
Vulnerability: PHP Object Injection
CVE: CVE-2026-2471
Number of Installations: 300,000+
Affected Software: WP Mail Logging <= 1.15
Patched Versions: WP Mail Logging 1.16

Mitigation steps: Update to WP Mail Logging version 1.16 or greater.

Formidable Forms – Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder – Broken Authentication

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Broken Authentication
CVE: CVE-2026-2888
Number of Installations: 300,000+
Affected Software: Formidable Forms – Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder <= 6.28
Patched Versions: Formidable Forms – Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder 6.29

Mitigation steps: Update to Formidable Forms – Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder version 6.29 or greater.

Formidable Forms – Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder – Broken Access Control

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Broken Access Control
CVE: CVE-2026-2890
Number of Installations: 300,000+
Affected Software: Formidable Forms – Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder <= 6.28
Patched Versions: Formidable Forms – Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder 6.29

Mitigation steps: Update to Formidable Forms – Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder version 6.29 or greater.

ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin) – Privilege Escalation

Security Risk: Critical
Exploitation Level: Custom role
Vulnerability: Privilege Escalation
CVE: CVE-2026-1993
Number of Installations: 300,000+
Affected Software: ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin) <= 9.0.2
Patched Versions: ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin) 9.0.3

Mitigation steps: Update to ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin) version 9.0.3 or greater.

ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin) – Insecure Direct Object References (IDOR)

Security Risk: High
Exploitation Level: Custom role
Vulnerability: Insecure Direct Object References (IDOR)
CVE: CVE-2026-1992
Number of Installations: 300,000+
Affected Software: ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin) <= 9.0.2
Patched Versions: ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin) 9.0.3

Mitigation steps: Update to ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin) version 9.0.3 or greater.

Unlimited Elements For Elementor – Cross Site Scripting (XSS)

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2026-2724
Number of Installations: 300,000+
Affected Software: Unlimited Elements For Elementor <= 2.0.5
Patched Versions: Unlimited Elements For Elementor 2.0.6

Mitigation steps: Update to Unlimited Elements For Elementor version 2.0.6 or greater.

Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin – Privilege Escalation

Security Risk: High
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Privilege Escalation
CVE: CVE-2026-4248
Number of Installations: 200,000+
Affected Software: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin <= 2.11.2
Patched Versions: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin 2.11.3

Mitigation steps: Update to Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin version 2.11.3 or greater.

Dear Flipbook – PDF Flipbook, 3D Flipbook, PDF embed, PDF viewer – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Author or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2026-2569
Number of Installations: 100,000+
Affected Software: Dear Flipbook – PDF Flipbook, 3D Flipbook, PDF embed, PDF viewer <= 2.4.26
Patched Versions: Dear Flipbook – PDF Flipbook, 3D Flipbook, PDF embed, PDF viewer 2.4.27

Mitigation steps: Update to Dear Flipbook – PDF Flipbook, 3D Flipbook, PDF embed, PDF viewer version 2.4.27 or greater.

Envira Gallery – Image Photo Gallery, Albums, Video Gallery, Slideshows & More – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Author or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2026-1236
Number of Installations: 100,000+
Affected Software: Envira Gallery – Image Photo Gallery, Albums, Video Gallery, Slideshows & More <= 1.12.3
Patched Versions: Envira Gallery – Image Photo Gallery, Albums, Video Gallery, Slideshows & More 1.12.4

Mitigation steps: Update to Envira Gallery – Image Photo Gallery, Albums, Video Gallery, Slideshows & More version 1.12.4 or greater.

Widget Options – Advanced Conditional Visibility for Gutenberg Blocks & Classic Widgets – Remote Code Execution (RCE)

Security Risk: Critical
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Remote Code Execution (RCE)
CVE: CVE-2026-27984
Number of Installations: 100,000+
Affected Software: Widget Options – Advanced Conditional Visibility for Gutenberg Blocks & Classic Widgets <= latest
Patched Versions: No Fix

Mitigation steps: No patch available. Consider disabling or removing the plugin until a fix is released.

AI Engine – The Chatbot, AI Framework & MCP for WordPress – Arbitrary File Upload

Security Risk: Critical
Exploitation Level: Requires Editor or higher level authentication.
Vulnerability: Arbitrary File Upload
CVE: CVE-2026-23802
Number of Installations: 100,000+
Affected Software: AI Engine – The Chatbot, AI Framework & MCP for WordPress <= 3.3.2
Patched Versions: AI Engine – The Chatbot, AI Framework & MCP for WordPress 3.3.3

Mitigation steps: Update to AI Engine – The Chatbot, AI Framework & MCP for WordPress version 3.3.3 or greater.

Download Manager – Broken Access Control

Security Risk: Medium
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2026-2571
Number of Installations: 100,000+
Affected Software: Download Manager <= 3.3.49
Patched Versions: Download Manager 3.3.50

Mitigation steps: Update to Download Manager version 3.3.50 or greater.

LatePoint – Calendar Booking Plugin for Appointments and Events – Insecure Direct Object References (IDOR)

Security Risk: Medium
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Insecure Direct Object References (IDOR)
CVE: CVE-2026-32533
Number of Installations: 100,000+
Affected Software: LatePoint – Calendar Booking Plugin for Appointments and Events <= 5.2.6
Patched Versions: LatePoint – Calendar Booking Plugin for Appointments and Events 5.2.7

Mitigation steps: Update to LatePoint – Calendar Booking Plugin for Appointments and Events version 5.2.7 or greater.

LatePoint – Calendar Booking Plugin for Appointments and Events – Cross Site Scripting (XSS)

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2026-2324
Number of Installations: 100,000+
Affected Software: LatePoint – Calendar Booking Plugin for Appointments and Events <= 5.2.7
Patched Versions: LatePoint – Calendar Booking Plugin for Appointments and Events 5.2.8

Mitigation steps: Update to LatePoint – Calendar Booking Plugin for Appointments and Events version 5.2.8 or greater.

LatePoint – Calendar Booking Plugin for Appointments and Events – SQL Injection

Security Risk: High
Exploitation Level: Requires Administrator or higher level authentication.
Vulnerability: SQL Injection
CVE: CVE-2026-1487
Number of Installations: 100,000+
Affected Software: LatePoint – Calendar Booking Plugin for Appointments and Events <= 5.2.7
Patched Versions: LatePoint – Calendar Booking Plugin for Appointments and Events 5.2.8

Mitigation steps: Update to LatePoint – Calendar Booking Plugin for Appointments and Events version 5.2.8 or greater.

LatePoint – Calendar Booking Plugin for Appointments and Events – Privilege Escalation

Security Risk: High
Exploitation Level: Requires Agent or higher level authentication.
Vulnerability: Privilege Escalation
CVE: CVE-2026-1566
Number of Installations: 100,000+
Affected Software: LatePoint – Calendar Booking Plugin for Appointments and Events <= 5.2.7
Patched Versions: LatePoint – Calendar Booking Plugin for Appointments and Events 5.2.8

Mitigation steps: Update to LatePoint – Calendar Booking Plugin for Appointments and Events version 5.2.8 or greater.

My Sticky Bar – Floating Notification Bar & Sticky Header (formerly myStickymenu) – SQL Injection

Security Risk: Critical
Exploitation Level: No authentication required.
Vulnerability: SQL Injection
CVE: CVE-2026-3657
Number of Installations: 100,000+
Affected Software: My Sticky Bar – Floating Notification Bar & Sticky Header (formerly myStickymenu) <= 2.8.6
Patched Versions: My Sticky Bar – Floating Notification Bar & Sticky Header (formerly myStickymenu) 2.8.7

Mitigation steps: Update to My Sticky Bar – Floating Notification Bar & Sticky Header (formerly myStickymenu) version 2.8.7 or greater.

Social Icons Widget & Block – Social Media Icons & Share Buttons – Broken Access Control

Security Risk: Medium
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2026-4063
Number of Installations: 100,000+
Affected Software: Social Icons Widget & Block – Social Media Icons & Share Buttons <= 4.5.8
Patched Versions: Social Icons Widget & Block – Social Media Icons & Share Buttons 4.5.9

Mitigation steps: Update to Social Icons Widget & Block – Social Media Icons & Share Buttons version 4.5.9 or greater.

Tutor LMS – eLearning and online course solution – Insecure Direct Object References (IDOR)

Security Risk: Medium
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Insecure Direct Object References (IDOR)
CVE: CVE-2025-32223
Number of Installations: 100,000+
Affected Software: Tutor LMS – eLearning and online course solution <= 3.9.4
Patched Versions: Tutor LMS – eLearning and online course solution 3.9.5

Mitigation steps: Update to Tutor LMS – eLearning and online course solution version 3.9.5 or greater.

Tutor LMS – eLearning and online course solution – Broken Access Control

Security Risk: Medium
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2026-23799
Number of Installations: 100,000+
Affected Software: Tutor LMS – eLearning and online course solution <= 3.9.5
Patched Versions: Tutor LMS – eLearning and online course solution 3.9.6

Mitigation steps: Update to Tutor LMS – eLearning and online course solution version 3.9.6 or greater.

Tutor LMS – eLearning and online course solution – SQL Injection

Security Risk: Critical
Exploitation Level: No authentication required.
Vulnerability: SQL Injection
CVE: CVE-2025-13673
Number of Installations: 100,000+
Affected Software: Tutor LMS – eLearning and online course solution <= 3.9.6
Patched Versions: Tutor LMS – eLearning and online course solution 3.9.7

Mitigation steps: Update to Tutor LMS – eLearning and online course solution version 3.9.7 or greater.

Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress – Insecure Direct Object References (IDOR)

Security Risk: High
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Insecure Direct Object References (IDOR)
CVE: CVE-2026-3453
Number of Installations: 100,000+
Affected Software: Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress <= 4.16.11
Patched Versions: Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress 4.16.12

Mitigation steps: Update to Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress version 4.16.12 or greater.

WP All Import – Drag & Drop Import for CSV, XML, Excel & Google Sheets – Cross Site Scripting (XSS)

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2026-2830
Number of Installations: 100,000+
Affected Software: WP All Import – Drag & Drop Import for CSV, XML, Excel & Google Sheets <= 4.0.0
Patched Versions: WP All Import – Drag & Drop Import for CSV, XML, Excel & Google Sheets 4.0.1

Mitigation steps: Update to WP All Import – Drag & Drop Import for CSV, XML, Excel & Google Sheets version 4.0.1 or greater.

Download Monitor – Insecure Direct Object References (IDOR)

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Insecure Direct Object References (IDOR)
CVE: CVE-2026-3124
Number of Installations: 90,000+
Affected Software: Download Monitor <= 5.1.7
Patched Versions: Download Monitor 5.1.8

Mitigation steps: Update to Download Monitor version 5.1.8 or greater.

JetFormBuilder — Dynamic Blocks Form Builder – Arbitrary File Download

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Arbitrary File Download
CVE: CVE-2026-4373
Number of Installations: 90,000+
Affected Software: JetFormBuilder — Dynamic Blocks Form Builder <= 3.5.6.2
Patched Versions: JetFormBuilder — Dynamic Blocks Form Builder 3.5.6.3

Mitigation steps: Update to JetFormBuilder — Dynamic Blocks Form Builder version 3.5.6.3 or greater.

JetFormBuilder — Dynamic Blocks Form Builder – Remote Code Execution (RCE)

Security Risk: Critical
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Remote Code Execution (RCE)
CVE: CVE-2026-32525
Number of Installations: 90,000+
Affected Software: JetFormBuilder — Dynamic Blocks Form Builder <= 3.5.6.1
Patched Versions: JetFormBuilder — Dynamic Blocks Form Builder 3.5.6.2

Mitigation steps: Update to JetFormBuilder — Dynamic Blocks Form Builder version 3.5.6.2 or greater.

Booking for Appointments and Events Calendar – Amelia – Privilege Escalation

Security Risk: High
Exploitation Level: Custom role
Vulnerability: Privilege Escalation
CVE: CVE-2026-24963
Number of Installations: 90,000+
Affected Software: Booking for Appointments and Events Calendar – Amelia <= 1.9.9
Patched Versions: Booking for Appointments and Events Calendar – Amelia 2.0

Mitigation steps: Update to Booking for Appointments and Events Calendar – Amelia version 2.0 or greater.

Booking for Appointments and Events Calendar – Amelia – Broken Authentication

Security Risk: High
Exploitation Level: Requires Customer or higher level authentication.
Vulnerability: Broken Authentication
CVE: CVE-2026-2931
Number of Installations: 90,000+
Affected Software: Booking for Appointments and Events Calendar – Amelia <= 9.1
Patched Versions: Booking for Appointments and Events Calendar – Amelia 9.2

Mitigation steps: Update to Booking for Appointments and Events Calendar – Amelia version 9.2 or greater.

Import and export users and customers – Privilege Escalation

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Privilege Escalation
CVE: CVE-2026-3629
Number of Installations: 80,000+
Affected Software: Import and export users and customers <= 1.9.9
Patched Versions: Import and export users and customers 2.0

Mitigation steps: Update to Import and export users and customers version 2.0 or greater.

Jupiter X Core – Broken Access Control

Security Risk: High
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2026-3533
Number of Installations: 80,000+
Affected Software: Jupiter X Core <= 4.14.1
Patched Versions: Jupiter X Core 4.14.2

Mitigation steps: Update to Jupiter X Core version 4.14.2 or greater.

SlimStat Analytics – Cross Site Scripting (XSS)

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2026-1238
Number of Installations: 80,000+
Affected Software: SlimStat Analytics <= 5.3.9
Patched Versions: SlimStat Analytics 5.4.0

Mitigation steps: Update to SlimStat Analytics version 5.4.0 or greater.

LearnPress – WordPress LMS Plugin for Create and Sell Online Courses – Broken Access Control

Security Risk: Medium
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2026-3225
Number of Installations: 80,000+
Affected Software: LearnPress – WordPress LMS Plugin for Create and Sell Online Courses <= 4.3.2
Patched Versions: LearnPress – WordPress LMS Plugin for Create and Sell Online Courses 4.3.3

Mitigation steps: Update to LearnPress – WordPress LMS Plugin for Create and Sell Online Courses version 4.3.3 or greater.

LearnPress – WordPress LMS Plugin for Create and Sell Online Courses – Broken Access Control

Security Risk: Medium
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2026-3226
Number of Installations: 80,000+
Affected Software: LearnPress – WordPress LMS Plugin for Create and Sell Online Courses <= 4.3.2
Patched Versions: LearnPress – WordPress LMS Plugin for Create and Sell Online Courses 4.3.3

Mitigation steps: Update to LearnPress – WordPress LMS Plugin for Create and Sell Online Courses version 4.3.3 or greater.

Online Scheduling and Appointment Booking System – Bookly – Cross Site Scripting (XSS)

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2026-32540
Number of Installations: 70,000+
Affected Software: Online Scheduling and Appointment Booking System – Bookly <= 26.7
Patched Versions: Online Scheduling and Appointment Booking System – Bookly 26.8

Mitigation steps: Update to Online Scheduling and Appointment Booking System – Bookly version 26.8 or greater.

EmailKit – Email Customizer for WooCommerce & WP – Path Traversal

Security Risk: Medium
Exploitation Level: Requires Administrator or higher level authentication.
Vulnerability: Path Traversal
CVE: CVE-2026-3474
Number of Installations: 70,000+
Affected Software: EmailKit – Email Customizer for WooCommerce & WP <= 1.6.3
Patched Versions: EmailKit – Email Customizer for WooCommerce & WP 1.6.4

Mitigation steps: Update to EmailKit – Email Customizer for WooCommerce & WP version 1.6.4 or greater.

SMTP Mailer – Sensitive Data Exposure

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Sensitive Data Exposure
CVE: CVE-2026-32538
Number of Installations: 70,000+
Affected Software: SMTP Mailer <= 1.1.24
Patched Versions: SMTP Mailer 1.1.25

Mitigation steps: Update to SMTP Mailer version 1.1.25 or greater.

GetGenie – AI Content Writer with Keyword Research & SEO Tracking Tools – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Author or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2026-2257
Number of Installations: 70,000+
Affected Software: GetGenie – AI Content Writer with Keyword Research & SEO Tracking Tools <= 4.3.2
Patched Versions: GetGenie – AI Content Writer with Keyword Research & SEO Tracking Tools 4.3.3

Mitigation steps: Update to GetGenie – AI Content Writer with Keyword Research & SEO Tracking Tools version 4.3.3 or greater.

GetGenie – AI Content Writer with Keyword Research & SEO Tracking Tools – Insecure Direct Object References (IDOR)

Security Risk: Medium
Exploitation Level: Requires Author or higher level authentication.
Vulnerability: Insecure Direct Object References (IDOR)
CVE: CVE-2026-2879
Number of Installations: 70,000+
Affected Software: GetGenie – AI Content Writer with Keyword Research & SEO Tracking Tools <= 4.3.2
Patched Versions: GetGenie – AI Content Writer with Keyword Research & SEO Tracking Tools 4.3.3

Mitigation steps: Update to GetGenie – AI Content Writer with Keyword Research & SEO Tracking Tools version 4.3.3 or greater.

Database for Contact Form 7, WPforms, Elementor forms – PHP Object Injection

Security Risk: Critical
Exploitation Level: No authentication required.
Vulnerability: PHP Object Injection
CVE: CVE-2026-2599
Number of Installations: 70,000+
Affected Software: Database for Contact Form 7, WPforms, Elementor forms <= 1.4.7
Patched Versions: Database for Contact Form 7, WPforms, Elementor forms 1.4.8

Mitigation steps: Update to Database for Contact Form 7, WPforms, Elementor forms version 1.4.8 or greater.

Greenshift – animation and page builder blocks – Broken Access Control

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Broken Access Control
CVE: CVE-2026-2371
Number of Installations: 70,000+
Affected Software: Greenshift – animation and page builder blocks <= 12.8.3
Patched Versions: Greenshift – animation and page builder blocks 12.8.4

Mitigation steps: Update to Greenshift – animation and page builder blocks version 12.8.4 or greater.

Greenshift – animation and page builder blocks – Broken Access Control

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Broken Access Control
CVE: CVE-2026-2589
Number of Installations: 70,000+
Affected Software: Greenshift – animation and page builder blocks <= 12.8.3
Patched Versions: Greenshift – animation and page builder blocks 12.8.4

Mitigation steps: Update to Greenshift – animation and page builder blocks version 12.8.4 or greater.

Greenshift – animation and page builder blocks – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2026-2593
Number of Installations: 70,000+
Affected Software: Greenshift – animation and page builder blocks <= 12.8.5
Patched Versions: Greenshift – animation and page builder blocks 12.8.6

Mitigation steps: Update to Greenshift – animation and page builder blocks version 12.8.6 or greater.

Media Library Assistant – Broken Access Control

Security Risk: Medium
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2026-3072
Number of Installations: 70,000+
Affected Software: Media Library Assistant <= 3.33
Patched Versions: Media Library Assistant 3.34

Mitigation steps: Update to Media Library Assistant version 3.34 or greater.

wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin – Local File Inclusion

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Local File Inclusion
CVE: CVE-2026-28039
Number of Installations: 70,000+
Affected Software: wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin <= 6.5.0.1
Patched Versions: wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin 6.5.0.2

Mitigation steps: Update to wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin version 6.5.0.2 or greater.

WP ULike – Like & Dislike Buttons for Engagement and Feedback – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2026-2358
Number of Installations: 70,000+
Affected Software: WP ULike – Like & Dislike Buttons for Engagement and Feedback <= latest
Patched Versions: No Fix

Mitigation steps: No patch available. Consider disabling or removing the plugin until a fix is released.

Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin – Broken Access Control

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Broken Access Control
CVE: CVE-2026-3045
Number of Installations: 60,000+
Affected Software: Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin <= 1.6.9.9
Patched Versions: Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin 1.6.10.0

Mitigation steps: Update to Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin version 1.6.10.0 or greater.

Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin – Sensitive Data Exposure

Security Risk: Medium
Exploitation Level: Requires Staff or higher level authentication.
Vulnerability: Sensitive Data Exposure
CVE: CVE-2026-1704
Number of Installations: 60,000+
Affected Software: Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin <= 1.6.9.9
Patched Versions: Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin 1.6.10.0

Mitigation steps: Update to Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin version 1.6.10.0 or greater.

Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin – SQL Injection

Security Risk: Critical
Exploitation Level: No authentication required.
Vulnerability: SQL Injection
CVE: CVE-2026-1708
Number of Installations: 60,000+
Affected Software: Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin <= 1.6.9.28
Patched Versions: Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin 1.6.9.29

Mitigation steps: Update to Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin version 1.6.9.29 or greater.

Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin – SQL Injection

Security Risk: Critical
Exploitation Level: No authentication required.
Vulnerability: SQL Injection
CVE: CVE-2026-3658
Number of Installations: 60,000+
Affected Software: Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin <= 1.6.10.1
Patched Versions: Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin 1.6.10.2

Mitigation steps: Update to Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin version 1.6.10.2 or greater.

Contextual Related Posts – Broken Access Control

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Broken Access Control
CVE: CVE-2026-32565
Number of Installations: 60,000+
Affected Software: Contextual Related Posts <= 4.2.1
Patched Versions: Contextual Related Posts 4.2.2

Mitigation steps: Update to Contextual Related Posts version 4.2.2 or greater.

Drag and Drop Multiple File Upload for Contact Form 7 – Arbitrary File Upload

Security Risk: Critical
Exploitation Level: No authentication required.
Vulnerability: Arbitrary File Upload
CVE: CVE-2026-3459
Number of Installations: 60,000+
Affected Software: Drag and Drop Multiple File Upload for Contact Form 7 <= 1.3.9.5
Patched Versions: Drag and Drop Multiple File Upload for Contact Form 7 1.3.9.6

Mitigation steps: Update to Drag and Drop Multiple File Upload for Contact Form 7 version 1.3.9.6 or greater.

Email Subscribers & Newsletters – Email Marketing, Post Notifications & Newsletter Plugin for WordPress – SQL Injection

Security Risk: High
Exploitation Level: Requires Administrator or higher level authentication.
Vulnerability: SQL Injection
CVE: CVE-2026-1651
Number of Installations: 60,000+
Affected Software: Email Subscribers & Newsletters – Email Marketing, Post Notifications & Newsletter Plugin for WordPress <= 5.9.16
Patched Versions: Email Subscribers & Newsletters – Email Marketing, Post Notifications & Newsletter Plugin for WordPress 5.9.17

Mitigation steps: Update to Email Subscribers & Newsletters – Email Marketing, Post Notifications & Newsletter Plugin for WordPress version 5.9.17 or greater.

Fast Page & Post Duplicator – SQL Injection

Security Risk: High
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: SQL Injection
CVE: CVE-2026-2893
Number of Installations: 60,000+
Affected Software: Fast Page & Post Duplicator <= 6.3
Patched Versions: Fast Page & Post Duplicator 6.4

Mitigation steps: Update to Fast Page & Post Duplicator version 6.4 or greater.

Seraphinite Accelerator – Sensitive Data Exposure

Security Risk: Medium
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Sensitive Data Exposure
CVE: CVE-2026-3058
Number of Installations: 60,000+
Affected Software: Seraphinite Accelerator <= 2.28.14
Patched Versions: Seraphinite Accelerator 2.28.15

Mitigation steps: Update to Seraphinite Accelerator version 2.28.15 or greater.

Seraphinite Accelerator – Broken Access Control

Security Risk: Medium
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2026-3056
Number of Installations: 60,000+
Affected Software: Seraphinite Accelerator <= 2.28.14
Patched Versions: Seraphinite Accelerator 2.28.15

Mitigation steps: Update to Seraphinite Accelerator version 2.28.15 or greater.

Product Filter for WooCommerce by WBW – Broken Access Control

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Broken Access Control
CVE: CVE-2026-3138
Number of Installations: 60,000+
Affected Software: Product Filter for WooCommerce by WBW <= 3.1.2
Patched Versions: Product Filter for WooCommerce by WBW 3.1.3

Mitigation steps: Update to Product Filter for WooCommerce by WBW version 3.1.3 or greater.

User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder – Privilege Escalation

Security Risk: Critical
Exploitation Level: No authentication required.
Vulnerability: Privilege Escalation
CVE: CVE-2026-1492
Number of Installations: 60,000+
Affected Software: User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder <= 5.1.2
Patched Versions: User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder 5.1.3

Mitigation steps: Update to User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder version 5.1.3 or greater.

User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder – Privilege Escalation

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Privilege Escalation
CVE: CVE-2026-32488
Number of Installations: 60,000+
Affected Software: User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder <= 5.1.2
Patched Versions: User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder 5.1.3

Mitigation steps: Update to User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder version 5.1.3 or greater.

User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder – Broken Access Control

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2026-4056
Number of Installations: 60,000+
Affected Software: User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder <= 5.1.4
Patched Versions: User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder 5.1.5

Mitigation steps: Update to User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder version 5.1.5 or greater.

Ultra Addons for Contact Form 7 – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2026-32460
Number of Installations: 60,000+
Affected Software: Ultra Addons for Contact Form 7 <= 3.5.36
Patched Versions: Ultra Addons for Contact Form 7 3.5.37

Mitigation steps: Update to Ultra Addons for Contact Form 7 version 3.5.37 or greater.

Visual Portfolio, Photo Gallery & Post Grid – Local File Inclusion

Security Risk: High
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Local File Inclusion
CVE: CVE-2026-32537
Number of Installations: 60,000+
Affected Software: Visual Portfolio, Photo Gallery & Post Grid <= 3.5.1
Patched Versions: Visual Portfolio, Photo Gallery & Post Grid 3.5.2

Mitigation steps: Update to Visual Portfolio, Photo Gallery & Post Grid version 3.5.2 or greater.

Woody Code Snippets – Insert PHP, CSS, JS, and Header/Footer Scripts – Remote Code Execution (RCE)

Security Risk: Critical
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Remote Code Execution (RCE)
CVE: CVE-2026-25366
Number of Installations: 60,000+
Affected Software: Woody Code Snippets – Insert PHP, CSS, JS, and Header/Footer Scripts <= 2.7.1
Patched Versions: Woody Code Snippets – Insert PHP, CSS, JS, and Header/Footer Scripts 2.7.2

Mitigation steps: Update to Woody Code Snippets – Insert PHP, CSS, JS, and Header/Footer Scripts version 2.7.2 or greater.

WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters – SQL Injection

Security Risk: Critical
Exploitation Level: No authentication required.
Vulnerability: SQL Injection
CVE: CVE-2026-3222
Number of Installations: 60,000+
Affected Software: WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters <= 4.9.1
Patched Versions: WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters 4.9.2

Mitigation steps: Update to WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters version 4.9.2 or greater.

WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters – SQL Injection

Security Risk: Critical
Exploitation Level: No authentication required.
Vulnerability: SQL Injection
CVE: CVE-2026-2580
Number of Installations: 60,000+
Affected Software: WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters <= 4.9.1
Patched Versions: WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters 4.9.2

Mitigation steps: Update to WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters version 4.9.2 or greater.

Advanced Product Fields (Product Addons) for WooCommerce – Broken Access Control

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Broken Access Control
CVE: CVE-2026-32457
Number of Installations: 50,000+
Affected Software: Advanced Product Fields (Product Addons) for WooCommerce <= 1.6.18
Patched Versions: Advanced Product Fields (Product Addons) for WooCommerce 1.6.19

Mitigation steps: Update to Advanced Product Fields (Product Addons) for WooCommerce version 1.6.19 or greater.

Blog2Social: Social Media Auto Post & Scheduler – Broken Access Control

Security Risk: Medium
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2026-4331
Number of Installations: 50,000+
Affected Software: Blog2Social: Social Media Auto Post & Scheduler <= 8.8.2
Patched Versions: Blog2Social: Social Media Auto Post & Scheduler 8.8.3

Mitigation steps: Update to Blog2Social: Social Media Auto Post & Scheduler version 8.8.3 or greater.

RTMKit – Cross Site Scripting (XSS)

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2025-12473
Number of Installations: 50,000+
Affected Software: RTMKit <= 1.9.9
Patched Versions: RTMKit 2.0.0

Mitigation steps: Update to RTMKit version 2.0.0 or greater.

RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging – Cross Site Scripting (XSS)

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2026-2433
Number of Installations: 50,000+
Affected Software: RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging <= 5.0.11
Patched Versions: RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging 5.0.12

Mitigation steps: Update to RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging version 5.0.12 or greater.

OoohBoi Steroids for Elementor – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2026-3034
Number of Installations: 50,000+
Affected Software: OoohBoi Steroids for Elementor <= 2.1.24
Patched Versions: OoohBoi Steroids for Elementor 2.1.25

Mitigation steps: Update to OoohBoi Steroids for Elementor version 2.1.25 or greater.

Sina Extension for Elementor – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2025-6229
Number of Installations: 50,000+
Affected Software: Sina Extension for Elementor <= 3.7.0
Patched Versions: Sina Extension for Elementor 3.7.1

Mitigation steps: Update to Sina Extension for Elementor version 3.7.1 or greater.

Smart Custom Fields – Broken Access Control

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Broken Access Control
CVE: CVE-2026-4066
Number of Installations: 50,000+
Affected Software: Smart Custom Fields <= 5.0.6
Patched Versions: Smart Custom Fields 5.0.7

Mitigation steps: Update to Smart Custom Fields version 5.0.7 or greater.

Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin – Arbitrary File Upload

Security Risk: High
Exploitation Level: Requires Administrator or higher level authentication.
Vulnerability: Arbitrary File Upload
CVE: CVE-2026-2269
Number of Installations: 50,000+
Affected Software: Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin <= 7.0.9
Patched Versions: Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin 7.1.0

Mitigation steps: Update to Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin version 7.1.0 or greater.

WP-Members Membership Plugin – SQL Injection

Security Risk: High
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: SQL Injection
CVE: CVE-2026-2363
Number of Installations: 50,000+
Affected Software: WP-Members Membership Plugin <= 3.5.5
Patched Versions: WP-Members Membership Plugin 3.5.6

Mitigation steps: Update to WP-Members Membership Plugin version 3.5.6 or greater.

RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging – Cross Site Scripting (XSS)

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2026-2433
Number of Installations: 50,000+
Affected Software: RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging <= 5.0.11
Patched Versions: RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging 5.0.12

Mitigation steps: Update to RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging version 5.0.12 or greater.

Themes

Astra – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2026-3534
Number of Downloads: 21,720,242
Affected Software: Astra <= 4.12.3
Patched Versions: Astra 4.12.4

Mitigation steps: Update to Astra theme version 4.12.4 or greater.

Blocksy – Cross Site Scripting (XSS)

Security Risk: Medium
Exploitation Level: Requires Contributor or higher level authentication.
Vulnerability: Cross Site Scripting (XSS)
CVE: CVE-2026-2583
Number of Downloads: 6,306,227
Affected Software: Blocksy <= 2.1.30
Patched Versions: Blocksy 2.1.31

Mitigation steps: Update to Blocksy theme version 2.1.31 or greater.

Nirvana – Local File Inclusion

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Local File Inclusion
CVE: CVE-2026-28119
Number of Downloads: 773,853
Affected Software: Nirvana <= latest
Patched Versions: No Fix

Mitigation steps: No patch available. Consider disabling or replacing the theme.

Education Zone – Broken Access Control

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Broken Access Control
CVE: CVE-2026-25009
Number of Downloads: 483,880
Affected Software: Education Zone <= 1.3.8
Patched Versions: Education Zone 1.3.9

Mitigation steps: Update to Education Zone theme version 1.3.9 or greater.

Ona – Arbitrary File Upload

Security Risk: Critical
Exploitation Level: Requires Subscriber or higher level authentication.
Vulnerability: Arbitrary File Upload
CVE: CVE-2026-32482
Number of Downloads: 243,101
Affected Software: Ona <= 1.23
Patched Versions: Ona 1.24

Mitigation steps: Update to Ona theme version 1.24 or greater.

News Magazine X – Broken Access Control

Security Risk: High
Exploitation Level: No authentication required.
Vulnerability: Broken Access Control
CVE: CVE-2026-24382
Number of Downloads: 76,558
Affected Software: News Magazine X <= 1.2.50
Patched Versions: News Magazine X 1.2.51

Mitigation steps: Update to News Magazine X theme version 1.2.51 or greater.

Estate – PHP Object Injection

Security Risk: Critical
Exploitation Level: No authentication required.
Vulnerability: PHP Object Injection
CVE: CVE-2026-22475
Number of Downloads: 58,132
Affected Software: Estate <= latest
Patched Versions: No Fix

Mitigation steps: No patch available. Consider disabling or replacing the theme.

Update your website software to mitigate risk. Users who are not able to update their software with the latest version are encouraged to use a web application firewall to help virtually patch known vulnerabilities and protect their website.